## Secure Distributed Key Generation for Discrete-Log ... - CiteSeerX

Apr 19, 1999 - IBM T.J.Watson Research Center, PO Box 704, Yorktown Heights, NY 10598, USA. ...... literature this is also known as a rushing adversary.
Secure Distributed Key Generation for Discrete-Log Based Cryptosystems Rosario Gennaro

,



, April 19, 1999

Stanislaw Jarecki

y

Hugo Krawczyk

and

z

Tal Rabin

Abstract



Distributed key generation is a main component of threshold cryptosystems and distributed cryptographic computing in general. Solutions to the distributed generation of private keys for discrete-log based cryptosystems have been known for several years and used in a variety of protocols and in many research papers. However, these solutions fail to provide the full security required and claimed by these works. We show how an active attacker controlling a small number of parties can bias the values of the generated keys, thus violating basic correctness and secrecy requirements of a key generation protocol. In particular, our attacks point out to the places where the proofs of security fail. Based on these ndings we designed a distributed key generation protocol which we present here together with a rigorous proof of security. Our solution, that achieves optimal resiliency, can be used as a drop-in replacement for key generation modules as well as other components of threshold or proactive discrete-log based cryptosystems. Keywords: Threshold Cryptography. Distributed Key Generation. VSS. Discrete Logarithm.

 IBM T.J.Watson Research Center, PO Box 704, Yorktown Heights, NY 10598, USA. E-mail: frosario,[email protected] y MIT Laboratory for Computer Science, 545 Tech Square, Cambridge, MA 02139, USA. E-mail: [email protected] z Department of Electrical Engineering, Technion, Haifa 32000, Israel, and IBM T.J. Watson Research Center, New York, USA. E-mail: [email protected]

1 Introduction Distributed key generation is a main component of threshold cryptosystems. It allows a set of n servers to jointly generate a pair of public and private keys according to the distribution de ned by the underlying cryptosystem without having to ever compute, reconstruct, or store the secret key in any single location and without assuming any trusted party (dealer). While the public key is output in the clear, the private key is maintained as a (virtual) secret shared via a threshold scheme. In particular, no attacker can learn anything about the key as long as it does not break into a speci ed number, t + 1, of servers. This shared private key can be later used by a threshold cryptosystem, e.g., to compute signatures or decryptions, without ever being reconstructed in a single location. For discrete{log based schemes, distributed key generation amounts to generating a secret sharing of a random, uniformly distributed value x and making public the value y = g x. We refer to such a protocol as DKG. A DKG protocol may be run in the presence of a malicious adversary who corrupts a fraction (or threshold) of the players and forces them to follow an arbitrary protocol of his choice. Informally, we say that a DKG protocol is secure if the output of the non-corrupted parties is correct (i.e. the shares held by the good players de ne a unique uniformly distributed value x and the public value y satis es y = g x), and the adversary learns no information about the chosen secret x beyond, of course, what is learned from the public value y . Solutions to the shared generation of private keys for discrete-log based threshold cryptosystems [DF89] have been known and used for a long time. Indeed, the rst DKG scheme was proposed by Pedersen in [Ped91a]. It then appeared, with various modi cations, in several papers on threshold cryptography, e.g., [CMI93, Har94, LHL94, GJKR96, HJJ+ 97, PK96, SG98], and distributed cryptographic applications that rely on it, e.g., [CGS97]. Moreover, a secure DKG protocol is an important building block in other distributed protocols for tasks di erent than the generation of keys. One example is the generation of the randomizers in discrete-log based signature schemes (for example the r value in a (r; s) DSS signature as in [GJKR96]). Another example is the generation of the refreshing polynomial in proactive secret sharing and signature schemes [HJKY95, HJJ+ 97, FGMY97]. The basic idea in Pedersen's DKG protocol [Ped91a] (as well as in the subsequent variants) is to have n parallel executions of Feldman's veri able secret sharing (VSS) protocol [Fel87] in which each player Pi acts as a dealer of a random secret zi that he picks. The secret value x is taken to be the sum of the properly shared zi 's. Since Feldman's VSS has the additional property of revealing yi = g zi , the public value y is the product of the yi 's that correspond to those properly shared zi 's. In this paper we show that, in spite of its use in many protocols, Pedersen's DKG cannot guarantee the correctness of the output distribution in the presence of an adversary. Speci cally, we show a strategy for an adversary to manipulate the distribution of the resulting secret x to something quite di erent from the uniform distribution. This aw stresses a well-known basic principle for the design of cryptographic protocols, namely, that secure components can turn insecure when composed to generate new protocols. We note that this ability of the attacker to bias the output distribution represents a aw in several aspects of the protocol's security. It clearly violates the basic correctness requirement about the output distribution of the protocol; but it also weakens the secrecy property of 1

the solution. Indeed, the attacker acquires in this way some a-priori knowledge on the secret which does not exist when the secret is chosen truly at random. Moreover, these attacks translate into aws in the attempted proofs of these protocols; speci cally, they show that simulation arguments (a la zero-knowledge) as used to prove the secrecy of these protocols must fail. In contrast to the above, we present a protocol that enjoys a full proof of security. We rst present the formal requirements for a secure solution of the DKG problem, then present a particular DKG protocol and rigorously prove that it satis es the security requirements. In particular, we show that the output distribution of private and public keys is as required, and prove the secrecy requirement from the protocol via a full simulation argument. Our solution is based on ideas similar to Pedersen's DKG (in particular, it also uses Feldman's VSS as a main component), but we are careful about designing an initial commitment phase where each player commits to its initial choice zi in a way that prevents the attacker from later biasing the output distribution of the protocol. For this commitment phase we use another protocol of Pedersen, i.e., Pedersen's VSS (veri able secret sharing) protocol as presented in [Ped91b]. Very importantly, our solution preserves most of the eciency and simplicity of the original DKG solution of [Ped91a], in particular it has comparable computational complexity and the same optimal threshold of t < n=2. Organization: In Section 2 we present the basic communication and adversarial models for our protocols. In Section 3 we describe previously proposed solutions to the DKG problem and show where they fail. In Section 4 we present our solution and its full analysis; we also discuss some other applications of our protocol. Finally, in Section 5 we discuss an enhanced (and more realistic) security model under which our solution works as well.

2 Preliminaries

Communication Model. We assume that our computation model is composed of a

set of n players P1 ; : : :; Pn that can be modeled by polynomial-time randomized Turing machines. They are connected by a complete network of private (i.e. untappable) point-topoint channels. In addition, the players have access to a dedicated broadcast channel. For simplicity of the discussion that follows, we assume a fully synchronous communication model, i.e. that messages of a given round in the protocol are sent by all players simultaneously, and that they are simultaneously delivered to their recipients. This model is not realistic enough for many applications, but it is often assumed in the literature; moreover, our attacks against known DKG protocols (Section 3) work even in this simpli ed setting. In Section 5 we introduce a more realistic, partially synchronous communication model. Our solution to the DKG problem (Section 4) and its security proof work in this strictly stronger adversarial model. The Adversary. We assume that an adversary, A, can corrupt up to t of the n players in the network, for any value of t < n=2 (this is the best achievable threshold { or resilience { for solutions that provide both secrecy and robustness). We consider a malicious adversary that may cause corrupted players to divert from the speci ed protocol in any way. We assume that the computational power of the adversary is adequately modeled by a probabilistic 2

polynomial time Turing machine. Our adversary is static, i.e. chooses the corrupted players at the beginning of the protocol (see section 4.2 for a reference to a recent extension of our results to the non-static { or adaptive { adversary setting).

3 Distributed Key Generation in DLog-Based Schemes In this section we de ne the minimal requirements for a secure distributed key generation protocol. We show how previous solutions fail to satisfy these requirements. We also discuss the applicability of our attacks to other existing distributed protocols.

3.1 Requirements of a Secure

DKG

Protocol

As we mentioned in the introduction, distributed generation of keys in a discrete{log based scheme amounts to generating a secret sharing of a random, uniformly distributed value x and making public the value y = g x . Speci cally, in a discrete{log based scheme with a large prime p and an element g of order q in Zp where q is a large prime dividing p ? 1, the distributed protocol DKG performed by n players P1 ; : : :; Pn generates private outputs x1; : : :; xn, called the shares, and a public output y. The protocol is called t-secure (or secure with threshold t) if in the presence of an attacker that corrupts at most t parties the following requirements for correctness and secrecy are satis ed:

Correctness: (C1) All subsets of t + 1 shares provided by honest players de ne the same unique secret key x. (C2) All honest parties have the same value of public key y = g x mod p, where x is the unique secret guaranteed by (C1). (C3) x is uniformly distributed in Zq (and hence y is uniformly distributed in the subgroup generated by g ). Secrecy: No information on x can be learned by the adversary except for what is implied by the value y = g x mod p. More formally, we state this condition in terms of simulatability: for every (probabilistic polynomial-time) adversary A, there exists a (probabilistic polynomial-time) simulator SIM , such that on input an element y in the subgroup of Zp generated by g, produces an output distribution which is polynomially indistinguishable from A's view of a run of the DKG protocol that ends with y as its public key output, and where A corrupts up to t parties. The above is a minimal set of requirements needed in all known applications of such a protocol. In many applications a stronger version of (C1) is desirable, which re ects two additional aspects: (1) It requires the existence of an ecient procedure to build the secret x out of t +1 shares; and (2) it requires this procedure to be robust, i.e. the reconstruction of x should be possible also in the presence of malicious parties that try to foil the computation. We note that these added properties are useful not only in applications that require explicit 3

reconstruction of the secret, but also in applications (such as threshold cryptosystems) that use the secret x in a distributed manner (without ever reconstructing it) to compute some cryptographic function, e.g. a signature. Thus, we formulate (C1') as follows: (C1') There is an ecient procedure that on input the n shares submitted by the players and the public information produced by the DKG protocol, outputs the unique value x, even if up to t shares are submitted by faulty players.

3.2 The Insecurity of a Common

DKG

Protocol

The Joint-Feldman Protocol. Feldman [Fel87] presents a veri able secret sharing (VSS)

protocol, denoted by Feldman-VSS, that allows a trusted dealer to share a key x among n parties in a way that the above security properties are achieved (with the exception that the protocol assumes the dealer never to be corrupted by the attacker). Based on this protocol, Pedersen [Ped91a] proposes the rst distributed solution to this problem, i.e. the rst DKG protocol. It speci es the run of n parallel executions of Feldman-VSS as follows. Each player Pi selects a random secret zi 2 Zq and shares it among the n players using Feldman-VSS. This de nes the set QUAL of players that shared their secrets properly. The random secret x is set to be the sum of the properly shared secrets and each player can compute his share of x by locally summing up the shares he received. The value y can be computed as the product of the public values yi = g zi mod p generated by the proper executions of the Feldman-VSS protocols. Similarly, the veri cation values A1; : : :; At necessary for robust reconstruction of x in Feldman-VSS, can be computed as products of the corresponding veri cation values generated by each properly executed VSS protocol. In Figure 1 we present a simpli ed version of the protocol proposed in [Ped91a], which we call Joint-Feldman. By concentrating on the core of the protocol we are able to emphasize the central weakness in its design. We also show that several variants of this core protocol (including the full protocol from [Ped91a] and other modi cations [HJKY95, HJJ+ 97]) are also insecure. An Attack Against Joint-Feldman. We show how an adversary can in uence the distribution of the result of Joint-Feldman to a non-uniform distribution. It can be seen, from the above description of the protocol that the determining factor for what the value x will be, is the de nition of the set QUAL. The attack utilizes the fact that the decision whether a player is in QUAL or not, even given the fully synchronous communication model, occurs after the adversary has seen the values yi of all players. The values yi are made public in Step 1 and the disquali cation of players occurs in Steps 2-3. Using this timing discrepancy, the attacker can a ect the distribution of the pair (x; y ). More speci cally the attack works as follows. Assume the adversary wants to bias the distribution towards keys y whose last bit is 0. It assumes two faulty players, say P1 and P2. In Step 1, P1 gives players P3; :::; Pt+2 shares which are inconsistent with his broadcast values, i.e. they do not pass the test of Step 2. The rest of the players receive consistent shares. Thus, in Step 2 there will be t complaints against P1 , yet t complaints are not sucient for disquali cation. Now, at the end of Step 1 the adversary computes Q Q n n = i=1 yi and = i=2 yi. If ends with 0 then P1 will do nothing and continue the protocol as written. If ends with 1 then the adversary forces the disquali cation of P1 4

Protocol Joint-Feldman 1. Each player Pi chooses a random polynomial fi (z ) over Zq of degree t: fi (z ) = ai0 + ai1z + : : : + ait z t Pi broadcasts Aik = gaik mod p for k = 0; : : :; t. Denote ai0 by zi and Ai0 by yi . Each Pi computes the shares sij = fi (j ) mod q for j = 1; : : :; n and sends sij secretly to player Pj . 2. Each Pj veri es the shares he received from the other players by checking for i = 1; : : :; n:

gsij =

Yt

(Aik )j k mod p

k=0

(1)

If the check fails for an index i, Pj broadcasts a complaint against Pi. 3. If more than t players complain against a player Pi , that player is clearly faulty and he is disquali ed. Otherwise Pi reveals the share sij matching Eq. 1 for each complaining player Pj . If any of the revealed shares fails this equation, Pi is disquali ed. We de ne the set QUAL to be the set of non-disquali ed players. Q 4. The public value y is computed as y = i2QUAL Q yi mod p. The public veri cation values are computed as Ak = i2QUAL Aik mod p for kP= 1; : : :; t. Each player Pj sets his share of the secret as xj = i2QUAL sij mod q. The secret shared value P x itself is not computed by any party, but it is equal to x = i2QUAL zi mod q.

Figure 1: An insecure solution for distributed generation of secret keys in Step 3. This is achieved by asking P2 to also broadcast a complaint against P1 , which brings the number of complaints to t + 1. This action sets the public value y to which ends with 0 with probability 1/2. Thus e ectively the attacker has forced strings ending in 0 to appear with probability 3/4 rather than 1/2. Why the Simulation Fails. An attempt to prove this protocol secure would use a simulation argument. Following is an explanation of why such a simulator would fail. Consider a simulator S which receives the value y and needs to \hit" this value. That is, S needs to generate a transcript which is indistinguishable from an actual run of the protocol that outputs y as the public key, and where the adversary controls up to t players, say P1; :::; Pt. The simulator has enough information to compute the values z1; :::; zt that the adversary has shared in Step 1. Now S needs to commit itself to the values shared by the good players. However, the attack described in the paragraph above can be easily extended to a strategy that allows the adversary to decide in Steps 2-3 on the set Q of faulty players whose values 5

will be considered in the nal computation (i.e. QUAL = Q [ ft + 1; :::; ng). Consequently, in Step 1,Qthe simulator S does not know how to pick the good players' values yt+1 ; :::; yn so that ( i2Q yi )  (yt+1  :::  yn ) = y mod p, as S still does not know the set Q. Since the number of possible sets Q that the adversary can choose is exponential in t, then S has no e ective strategy to simulate this computation in polynomial time. Other Insecure Variants of the Joint-Feldman Protocol. The many variants and extensions of the Joint-Feldman protocol which have appeared in the literature are also insecure. They all fail to achieve the correctness property (C3) and the secrecy requirement as presented in Section 3.1. The variants include: signatures on shares, commitments to yi , committing encryption on broadcast channel, committing encryption with reconstruction, and \stop, kill and rewind". Due to space limitations, we invite the reader to the on-line appendix to this paper [GJKR99] for the description of these variants and their aws.

4 The New Protocol Our solution enjoys the same avor and simplicity as the Joint-Feldman protocol presented in Figure 1, i.e. each player shares a random value and the random secret is generated by summing up these values. But we use a di erent sharing and then introduce methods to extract the public key. We start by running a commitment stage where each player Pi commits to a t-degree polynomial (t is the scheme's threshold) fi (z ) whose constant coecient is the random value, zi, contributed by Pi to the jointly generated secret x. We require the following properties from this commitment stage: First, the attacker cannot force a commitment by a (corrupted) player Pj to depend on the commitment(s) of any set of honest players. Second, for any player Pi that is not disquali ed during this stage, there is a unique polynomial fi committed to by Pi and this polynomial is recoverable by the honest players (this may be needed if player Pi misbehaves at a later stage of the protocol). Finally, for each honest player Pi and non-disquali ed player Pj , Pi holds the value fi (j ) at the end of the commitment stage. To realize the above commitment stage we use the information-theoretic veri able secret sharing (VSS) protocol due to Pedersen [Ped91b], and which we denote by Pedersen-VSS. We show that at the end of the commitment stage the value of the secret x is determined and no later misbehavior by any party can change it (indeed, if a non-disquali ed player misbehaves later in the protocol his value zi is publicly reconstructed by the honest players). Most importantly, this guarantees that no bias in the output x or y of the protocol is possible, and it allows us to present a full proof of security based on a careful simulation argument. After the value x is xed we enable the parties to eciently and securely compute g x mod p. In the next subsection we present the detailed solution and its analysis. But rst we expand on Pedersen's VSS protocol. Pedersen's VSS. As said, we use the protocol Pedersen-VSS introduced in [Ped91b] as a central tool in our solution. For lack of space we do not explicitly describe Pedersen-VSS here, however its description is implicit in step 1 of Figure 2. We note that this protocol uses, in addition to the parameters p; q; g which are inherent to the DKG problem, an element h in the subgroup of Zp generated by g. It is assumed that the adversary cannot nd the discrete logarithm of h relative to the base g . In section 4.2 we discuss how this value 6

of h can be generated in the context of our DKG solution. Some of the main properties of Pedersen-VSS are summarized in the next Lemma and used in the analysis of our DKG solution in the next subsection.

Lemma 1 [Ped91b] Pedersen-VSS satis es the following properties in the presence of an adversary that corrupts at most t parties and which cannot compute dlogg h: 1. If the dealer is not disquali ed during the protocol then all honest players hold shares that interpolate to a unique polynomial of degree t. In particular, any t + 1 of these shares suce to eciently reconstruct (via interpolation) the secret s. 2. The protocol produces information (the public values Ck and private values s0i ) that can be used at reconstruction time to test for the correctness of each share; thus, reconstruction is possible, even in the presence of malicious players, from any subset of shares containing at least t + 1 correct shares. 3. The view of the adversary is independent of the value of the secret s, and therefore the secrecy of s is unconditional.

4.1 Secure

DKG

Protocol

Our secure solution to the distributed generation of keys follows the above ideas and is presented in detail in Figure 2. We denote this protocol as DKG. The security properties of this solution are stated in the next Theorem.

Theorem 1 Protocol DKG from Figure 2 is a secure protocol for distributed key gener-

ation in discrete-log based cryptosystems, namely, it satis es the correctness and secrecy requirements of Section 3.1 with threshold t, for any t < n=2.

Proof of Correctness. We rst note that all honest players in the protocol compute the same set QUAL since the determination of which players are to be disquali ed depends on public broadcast information which is known to all (honest) players. (C1) At the end of Step 2 of the protocol it holds that if i 2 QUAL then player Pi has successfully performed the dealing of zi under Pedersen-VSS. From part 1 of Lemma 1 we know that all honest players hold shares (sij ) which interpolate to a unique polynomial with coecient equal to zi . Thus, for any set R of t + 1 correct shares, zi = P constant j 2R j  sij mod q where j are appropriate Lagrange interpolation coecients for the set R. Since each honest party Pj computes its share xj of x as xj = Pi2QUAL sij , then we have that for the set of shares R: x=

X

i2QUAL

0 1 0 1 X @X X X X zi =

j  sij A = j  @ sij A = j xj i2QUAL j 2R

j 2R

i2QUAL

j 2R

Since this holds for any set of t + 1 correct shares then x is uniquely de ned. (C1') The above argument in (C1) shows that the secret x can be eciently reconstructed, via interpolation, out of any t + 1 correct shares. We need to show that we can tell apart 7

Protocol DKG

Generating x:

1. Each player Pi performs a Pedersen-VSS of a random value zi as a dealer: (a) Pi chooses two random polynomials fi (z ); fi0 (z ) over Zq of degree t:

fi (z ) = ai0 + ai1z + : : : + ait z t fi0 (z ) = bi0 + bi1 z + : : : + bit z t Let zi = ai0 = fi (0). Pi broadcasts Cik = gaik hbik mod p for k = 0; : : :; t. Pi computes the shares sij = fi (j ); s0ij = fi0 (j ) mod q for j = 1; : : :; n and sends sij ; s0ij to player Pj . (b) Each player Pj veri es the shares he received from the other players. For each i = 1; : : :; n, Pj checks if gsij hs0ij =

Yt k=0

k (Cik )j mod p

(2)

If the check fails for an index i, Pj broadcasts a complaint against Pi . (c) Each player Pi who, as a dealer, received a complaint from player Pj broadcasts the values sij ; s0ij that satisfy Eq. 2. (d) Each player marks as disquali ed any player that either received more than t complaints in Step 1b, or answered to a complaint in Step 1c with values that falsify Eq. 2. 



2. Each player then builds the set of non-disquali ed players QUAL. (We show in the analysis that all honest players build the same set QUAL and hence, for simplicity, we denote it with a unique global name.) 3. The distributed secret value explicitly computed by any P x is not party, but it equals x = i2QUAL z mod q. Each player Pi sets i P his share of the secret as x = s i j 2QUAL ji mod q and the value P x0i = j 2QUAL s0ji mod q. Extracting y = gx mod p: 4. Each player i QUAL exposes yi = gzi mod p via Feldman VSS: 2

(a) Each player Pi, i QUAL, broadcasts Aik = gaik mod p for k = 0; :::; t. (b) Each player Pj veri es the values broadcast by the other players in QUAL, namely, for each i QUAL, Pj checks if 2

2

gsij =

Yt

(Aik )j k mod p

k=0

(3)

If the check fails for an 8index i, Pj complains against Pi by broadcasting the values sij ; s0ij that satisfy Eq. 2 but do not satisfy Eq. 3. (c) For players Pi who receive at least one valid complaint, i.e. values which satisfy Eq. 2 and not Eq. 3, the other play-

correct shares from incorrect ones. For this we show that for each share xj , the value g xj can be computed from publicly available information broadcast in Step 4a:

gxj

=g

P

i2QUAL sij

=

Y i2QUAL

gsij

=

Y Yt

(Aik )j k mod p

i2QUAL k=0

where the last equality follows from Eq. 3. Thus the publicly available value g xj makes it possible to verify the correctness of share xj at reconstruction time. (C2) The value y is computed (by the honest players) as y = Qi2QUAL yi mod p, where the values of yi are derived from information broadcast in the protocol and thus known to all P x honest players. We need to show that indeed y = g where x = i2QUAL will show P zi. We Q Q z i z z i i that for i 2 QUAL, yi = g , and then y = i2QUAL yi = i2QUAL g = g i2QUAL = g x. For parties i 2 QUAL against whom a valid complaint has been issued in Step 4b value zi is publicly reconstructed and yi set to g zi mod p (the correct reconstruction of zi is guaranteed by Lemma 1 (part 2)). Now we need to show that for Pi , i 2 QUAL, against whom a valid complaint has not been issued, the value yi is set to Ai0 . Values Aik ; k = 0; : : :; t broadcast by player Pi in Step 4a de ne a t-degree polynomial f^i (z ) in Zq . Since we assume that no valid complaint was issued against Pi then Eq. 3 is satis ed for all honest players, and thus f^i(z) and fi(z) have at least t + 1 points in common, given by the shares sij held by the uncorrupted players Pj . Hence they are equal, and in particular Ai0 = g fi(0) = g zi . (C3) The secret x is de ned as x = Pi2QUAL zi. Note that as long as there is one value zi in this sum that is chosen at random and independently from other values in the sum, we are guaranteed to have uniform distribution of x. Also note that the secret x and the components zi in the sum are already determined at the end of Step 2 of DKG (since neither the values zi nor the set QUAL change later). Let Pi be a non-corrupted player; in particular, i 2 QUAL. At the end of Step 1 of the protocol zi exists only as a value dealt by Pi using Pedersen-VSS. By virtue of part 3 of Lemma 1 the view (and thus actions) of the adversary are independent of this value zi and hence the secret x is uniformly distributed (as zi is). Proof of Secrecy. We provide a simulator SIM for the DKG protocol in Figure 3. Here we show that the view of the adversary A that interacts with SIM on input y is the same as the view of A that interacts with the honest players in a regular run of the protocol that outputs the given y as the public key. In the description and analysis of the simulator we assume, without loss of generality, that the adversary compromises players P1 ; : : :; Pt0 , where t0  t. We denote the indices of the players controlled by the adversary by B = f1; : : :; t0g, and the indices of the players controlled by the simulator by G = ft0 + 1; : : :; ng. In a regular run of protocol DKG, A sees the following probability distribution of data produced by the uncorrupted parties:

 Values fi(j ); fi0(j ); i 2 G ; j 2 B, uniformly chosen in Zq (and denoted as sij ; s0ij , resp.).  Values Cik ; Aik; i 2 G ; k = 0; : : :; t that correspond to (exponents of) coecients of randomly chosen polynomials and for which the Eqs. (2) and (3) are satis ed for all j 2 B. 9

Algorithm of simulator SIM We denote by the set of players controlled by the adversary, and by the set of honest parties (run by the simulator). Wlog, = 1; : : :; t0 and = t0 + 1; : : :; n , t0 t. Input: public key y 1. Perform Steps 1a-1d,2 on behalf of the uncorrupted players Pt0+1 ; : : :; Pn exactly as in protocol DKG. This includes receiving and processing the information sent privately and publicly from corrupted players to honest ones. At the end of Step 2 the following holds: The set QUAL is well-de ned. Note that QUAL and that polynomials fi (z ); fi0 (z ) for i are chosen at random. The adversary's view consists of polynomials fi (z ); fi0 (z ) for i , the shares (sij ; s0ij ) = (fi (j ); fi0 (j )) for i QUAL, j , and all the public values Cik for i QUAL, k = 0; : : :; t. SIM knows all polynomials fi (z ); fi0 (z ) for i QUAL (note that for i QUAL the honest parties, and hence SIM , receive enough consistent shares from the adversary that allow SIM to compute all these parties' polynomials). In particular, SIM knows all the shares sij ; s0ij , the coecients aik ; bik and the public values Cik . 2. Perform the following computations: { Compute Aik Q = gaik for i QUAL n , k = 0; : : :; t  { Set An0 = y i2(QUALnfng) (Ai0 )?1 mod p { Assign snj = snj = fn (j ) forQj = 1; : : :; t { Compute Ank = (An0)k0 ti=1 (gsni )ki for k = 1; : : :; t, where ki's are the Lagrange interpolation coecients. B

G

B

G

f

g

f

g





G 

2 G



2 B

2

2 B

2



2

2

\B

2

nf

g





(a) Broadcast Aik for i n ; and Ank for k = 0; : : :; t (b) Perform for each uncorrupted player the veri cations of Eq. 3 on the values Aik , i , broadcast by the players controlled by the adversary. If the veri cation fails for some i ; j , broadcast a complaint (sij ; s0ij ). (Notice that the corrupted players can publish a valid complaint only against one another.) (c) Perform Step 4c of the protocol on behalf of the uncorrupted parties, i.e. perform reconstruction phase of Pedersen-VSS to compute zi and yi in the clear for every Pi against whom a valid accusation was broadcast in the previous step. 2 G nf

g

2 B

2 B

2 G

Figure 3: Simulator for the shared key generation protocol DKG

10

Since here we are interested in runs of DKG that end with the value y as the public key output of the protocol, we note that the above distribution of values is induced by the choice (of the good players) of polynomials fi (z ); fi0(z ), i 2 G , uniformly distributed in the family of t-degree polynomials over Zq subject to the condition that

Y

i2QUAL

Ai = y mod p : 0

(4)

In other words, this distribution is characterized by the choice of polynomials fi (z ); fi0(z ) for i 2 (G n fng) and fn0 (z ) as random independent t-degree polynomials over Zq , and of fn(z) as a uniformly chosen polynomial from P the family of t-degree polynomials over Zq that satisfy the constraint fn (0) = dlogg (y ) ? i2(QUALnfng) fi (0) mod q . (This last constraint is necessary and sucient to guarantee Eq. (4).) Note that, using the notation of values computed by SIM in Step 2 of the simulation, the last constraint can be denoted as fn(0) = dlogg(An0). We show that the simulator SIM outputs a probability distribution which is identical to the above distribution. First note that the above distribution depends on the set QUAL de ned at the end of Step 2 of the protocol. Since all the simulator's actions in Step 1 of the simulator are identical to the actions of honest players interacting with A in a real run of the protocol, thus we are assured that the set QUAL is de ned at the end of this simulation step identically to its value in the real protocol. We now describe the output distribution of SIM in terms of t-degree polynomials fi and fi0 corresponding to the choices of the simulator when simulating the actions of the honest players and de ned as follows: For i 2 G n fng, set fi to fi and fi0 to fi0 . For i = n, de ne fn via the values1 fn (0) = dlogg (An0) and fn(j ) = snj = fn(j ) ; j = 1; : : :; t. Finally, the polynomial fn0 is de ned via the relation: fn(z) + d  fn0(z) = fn(z) + d  fn0 (z) mod q, where d = dlogg(h). It can be seen that by this de nition that the values of these polynomials evaluated at the points j 2 B coincide with the values fi (j ); fi0(j ) which are seen by the corrupted parties in Step 1 of the protocol. Also, the coecients of these polynomials agree with the exponentials Cik published by the simulated honest parties in Step 1 of the protocol (i.e. Cik = g aik hbik where aik and bik are the coecients of polynomials fi (z ); fi0(z ), respectively, for i 2 G ), as well as with the exponentials Aik ; i 2 G n fng and Ank published by the simulator in Step 2a on behalf of   a a nk ik the honest parties (i.e. Aik = g , i 2 G n fng and Ank = g ; k = 0; : : :; t) corresponding to the players' values in Step 4a of the protocol. Thus, these values pass the veri cations of Eq. (2) and (3) as in the real protocol. It remains to be shown that polynomials fi and fi0 belong to the right distribution. Indeed, for i 2 G n fng this is immediate since they are de ned identically to fi and fi0 which are chosen according to the uniform distribution. For fn we see that this polynomial evaluates in points j = 1; : : :; t to random values (snj ) while at 0 it evaluates dlogg (An0) as required to satisfy Eq. 4. Finally, polynomial fn0 is de ned (see above) as fn0 (z ) = d?1  (fn(z) ? fn(z))+ fn0 (z) and since fn0 (z) is chosen in Step 1 as a random and independent polynomial then so is fn0 (z ). Note that in this description we use discrete log values unknown to the simulator; this provides a mathematical description of the output distribution of SIM useful for our analysis but does not require or assume that SIM can compute these values. 1

11

4.2 Remarks

Eciency. We point out that our secure protocol does not lose much in eciency with

respect to the previously known insecure Joint-Feldman protocol. Instead of Feldman-VSS, each player performs Pedersen-VSS (Steps 1-3), which takes the same number of rounds and demands at most twice more local computation. The extraction of the public key in Step 4 adds only two rounds (one if no player is dishonest) to the whole protocol. We point out that all the long modular exponentiations needed during this extraction have already been computed during the Pedersen-VSS phase, thus Step 4 is basically \for free" from a computational point of view. Generation of h. The public value h needed to run Pedersen's VSS can be easily generated jointly by the players. Indeed it is important that nobody knows the discrete log of h with respect to g . The procedure for generating h consists of a generic distributed coin ipping protocol which generates a random value r 2 Zp . To generate a random element in the subgroup generated by g it will be enough to set h = rk mod p where k = (p ? 1)=q . If q 2 does not divide p ? 1 (which is easily checkable) then h is an element in the group generated by g .

4.3 Other Applications of a

DKG

Protocol

DKG protocols have more applications than just key generation. We sketch here two of these applications where previous awed DKG protocols were used and for which our solution can serve as a secure plug-in replacement. Randomizers in ElGamal/DSS Threshold Signatures. Signature schemes based on variants of the ElGamal scheme [ElG85], such as DSS, usually consist of a pair (r; s) where r = gk for a random value k 2 Zq . Several robust threshold versions of such signature schemes have been proposed in the literature [CMI93, GJKR96, PK96]. In these schemes the public value r and the sharing of the secret value k is jointly generated by the players running a DKG protocol. Clearly, in order for the resulting threshold scheme to be identical to the centralized case, r must be uniformly distributed in the group generated by g . However, each of these papers uses a version of the Joint-Feldman protocol which allows an adversary to bias the distribution of r. Our DKG protocol xes this problem. Refresh Phase in Proactive Secret Sharing and Signature Schemes. Proactive secret sharing [HJKY95] and signature schemes [HJJ 97] were introduced to cope with mobile adversaries who may corrupt more than t servers during the lifetime of the secret. In these protocols time is divided into stages, with an assumption that the adversary may corrupt at most t servers in each stage. However in di erent stages the adversary can control di erent players. In order to cope with such adversaries the basic idea of proactive secret sharing is to \refresh" the shares at the beginning of each stage so that they will be independent from shares in previous stages, except for the fact that they interpolate to the same secret. This is achieved by the players jointly creating a random polynomial f (z ) of degree t with free term 0 such that each player Pi holds f (i). If the share of player Pi at the previous stage was si , the new share will be si + f (i). In order to generate f (z ) the players run a variation of Joint-Feldman where each player shares value zi = 0. The polynomial f (z ) is the sum of the polynomials fi (z ) picked by each player (see Figure 1). It should be clear +

12

that the same attack described in Section 3.2 to bias the free term of f (z ) can be carried out to bias its any other coecient. The result is that the polynomial f (z ) generated by this refresh phase is not truly random, which implies that shares from di erent stages are not independent. Our DKG protocol xes this problem as well.